Skip to content
MikabotMikabot

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Studio Mikado, a company registered in Belgium ("Studio Mikado", "we", "us", "our"), collects, uses, stores, and protects personal data when you use the Mikabot platform, including the web application, dashboard, API, and embeddable chatbot widget (collectively, the "Service").

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Belgian Data Protection Act of 30 July 2018, and all other applicable data protection legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy should be read together with our Terms of Use and Cookie Policy.

2. Data Controller

The data controller for personal data processed through the Service is:

Studio Mikado
Belgium
Email: [email protected]
Website: mikabot.chat

If you are a Mikabot user (store owner) who embeds our chatbot widget on your website, you act as a data controller with respect to the personal data of your end users (website visitors who interact with the chatbot). Studio Mikado acts as a data processor on your behalf for that data. You are responsible for ensuring that your use of the chatbot complies with applicable data protection laws, including providing appropriate privacy notices to your end users.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form only)
  • Language preference

3.2 Billing Data

When you subscribe to a paid plan, our payment provider Mollie collects and processes your payment details. We store:

  • Billing name and address
  • Subscription plan and billing history
  • Mollie customer and subscription identifiers

We do not store credit card numbers or full payment credentials on our servers.

3.3 Store and Product Data

When you set up a store, we process:

  • Store name, URL, and configuration settings
  • Product catalog data (product names, descriptions, prices, images, categories)
  • Custom chatbot instructions and branding settings

3.4 Conversation Data

When end users interact with the chatbot widget, we process:

  • Chat messages exchanged between the end user and the chatbot
  • Session identifiers
  • Timestamps
  • Language detected
  • Any personal data the end user voluntarily shares in the conversation (e.g. email address, name)

3.5 Technical and Usage Data

When you or your end users access the Service, we may automatically collect:

  • IP address (anonymised where possible)
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Referring URL
  • Date and time of access

4. Purposes and Legal Bases for Processing

We process personal data for the following purposes, each with a corresponding legal basis under Article 6 of the GDPR:

Purpose Legal basis
Providing and operating the Service (account management, chatbot functionality, product recommendations) Performance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptions Performance of a contract (Art. 6(1)(b))
Sending service-related communications (account notifications, security alerts, billing updates) Performance of a contract (Art. 6(1)(b))
Improving the Service (analysing usage patterns, fixing bugs, developing new features) Legitimate interest (Art. 6(1)(f))
Ensuring security and preventing fraud Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (tax records, law enforcement requests) Legal obligation (Art. 6(1)(c))
Sending marketing communications (only with your explicit consent) Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 9).

5. AI Processing

The Service uses third-party artificial intelligence models (including OpenAI) to generate chatbot responses. When the chatbot processes a conversation:

  • Conversation messages and relevant product data are sent to the AI model provider to generate a response.
  • We do not use your personal data or conversation data to train AI models. However, the third-party AI provider may process data in accordance with their own data processing terms.
  • AI-generated responses are not reviewed by humans unless you report an issue or we are investigating a technical problem.

We have entered into data processing agreements with our AI providers that include appropriate safeguards for personal data.

6. Data Recipients and Third-Party Processors

We do not sell your personal data. We may share personal data with the following categories of recipients, solely for the purposes described in this Privacy Policy:

  • Hosting provider - for infrastructure and data storage (servers located in the EU)
  • OpenAI - for AI-powered chatbot responses (data processing agreement in place)
  • Mollie - for payment processing (PCI DSS compliant, EU-based)
  • Mailgun - for transactional email delivery
  • Analytics tools - for anonymised usage analytics

All third-party processors are bound by data processing agreements that require them to process personal data only on our instructions and to maintain appropriate security measures.

We may also disclose personal data if required by law, regulation, legal process, or a binding government request.

7. International Data Transfers

We store data primarily on servers located within the European Economic Area (EEA). Where personal data is transferred outside the EEA (for example, to OpenAI in the United States), we ensure that appropriate safeguards are in place, such as:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with appropriate supplementary measures

You may request information about the specific safeguards applied to international transfers by contacting us.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
  • Billing data: Retained for the period required by Belgian tax and accounting law (currently 7 years from the end of the financial year).
  • Conversation data: Retained for the duration of the store owner's account. Store owners may delete individual conversations or request bulk deletion.
  • Technical and usage data: Retained in anonymised form for up to 26 months for analytics purposes.

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you.

9. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise these rights at any time by contacting us at [email protected]:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
  • Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interest or direct marketing at any time.
  • Right to withdraw consent (Art. 7): Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. The chatbot provides informational responses only and does not make automated decisions with legal or similarly significant effects.

We will respond to your request within one (1) month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request.

If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on it, in accordance with Article 12(5) of the GDPR.

10. Right to Lodge a Complaint

If you believe that we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Belgium, this is:

Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat 35, 1000 Brussels, Belgium
Website: www.gegevensbeschermingsautoriteit.be
Email: [email protected]

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Access controls and role-based permissions
  • Secure password hashing
  • Regular security reviews and updates
  • Database backups with restricted access

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will notify affected users and the relevant supervisory authority without undue delay in the event of a personal data breach, in accordance with Articles 33 and 34 of the GDPR.

12. Children's Data

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete that data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email or through the Service at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this page indicates when the latest revision was published.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the revised Privacy Policy takes effect constitutes your acknowledgement of the changes.

14. Contact

For questions, requests, or complaints regarding this Privacy Policy or our data processing practices, please contact us at:

Studio Mikado
Belgium
Email: [email protected]
Website: mikabot.chat